Referencing LDAP/AD attributes in post-auth section

[Stefano Pardini]

I'm sorry for asking such a simple thing but I can't find any
reference for FreeRadius3.

I have been successfully using this functionality in Freeardius2, in
the same manner as reported here:
http://freeradius-users.freeradius.narkive.com/k46qBmbs/referencing-ldap-attributes-in-post-auth

I've created a new ldap module inside mods-available/ldap to extract a
specific ldap attribute (macAddress) from a specific ldap location ad
reported here in rlm_ldap module documentation.
ldap ldap_mac_auth {
        server = 'samba4.server.mynet.lan'
        identity = 'cn=administrator,cn=Users,dc=ad,dc=mynet,dc=lan'
        password = p4ss
        base_dn = 'ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan'

        update {
                reply:macAddress                := 'macAddress'

        }

        user {
                base_dn = "${..base_dn}"
                filter =
"(&(objectClass=computer)(managedBy=%{control:Ldap-UserDn}))"
        }
}



Then i'm calling it inside the authorize section of the default server.
authorize {
..
        ldap
        ldap_mac_auth
..
}



In the post-auth section of the default server i'm applying the
following control.
post-auth {
..
        if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) {
                 update reply {
                        Tunnel-Private-Group-Id := 43
                        Tunnel-Medium-Type := "IEEE-802"
                        Tunnel-Type := "VLAN"
                }
        }
..
}



Inside the dictionary file I've added the reference to that variable.
ATTRIBUTE       macAddress              3000    string



During the authentication process I can see the ldap_auth_mac module running.
(2) ldap_mac_auth: EXPAND
(&(objectClass=computer)(managedBy=%{control:Ldap-UserDn}))
(2) ldap_mac_auth:    --> (&(objectClass=computer)(managedBy=CN\3dTest
User\2cOU\3dStaff\2cOU\3dUsers\2cOU\3dMyNet\2cDC\3dad\2cDC\3dmynet\2cDC\3dlan))
(2) ldap_mac_auth: Performing search in
"ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan" with filter
"(&(objectClass=computer)(managedBy=CN\3dTest
User\2cOU\3dStaff\2cOU\3dUsers\2cOU\3dMyNet\2cDC\3dad\2cDC\3dmynet\2cDC\3dlan))",
scope "sub"
(2) ldap_mac_auth: Waiting for search result...
(2) ldap_mac_auth: User object found at DN
"CN=MyNetbook,OU=WiFi,OU=Computers,OU=MyNet,DC=ad,DC=mynet,DC=lan"
(2) ldap_mac_auth: Processing user attributes
(2) ldap_mac_auth: reply:macAddress := '13-59-F3-A3-94-00'



So, as you see, the macAddress ldap attribute is correctly mapped to
the reply:macAddress variable. But at the end of the process,
executing the post-auth section, this is the result:

(10)   post-auth {
(10)     if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) {
(10)     EXPAND %{reply:macAddress}
(10)        -->
(10)     EXPAND %{Calling-Station-Id}
(10)        --> 13-59-F3-A3-94-00
(10)     if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" )  -> FALSE



So the variable "reply:macAddress" couldn't correctly expanded.

I'm using FreeRADIUS Version 3.0.12.

Thanks in advance for your help.